Canadian Security Intelligence Service (Re), 2023 OIC 11

Date: 2023-02-28
OIC file number: 5820-01454
Institution file number: 117-2019-275

Summary

The complainant alleged that the Canadian Security Intelligence Service (CSIS) when responding to a request under the Access to Information Act, failed to sufficiently identify which portions of the requested records have been redacted and on what basis specific information has been withheld. The request was for historical information about Warren Hart and his activities/services in Canada that were contracted by a government institution.

The investigation determined that CSIS used negative (white) redactions to sever portions of the requested records based on exceptions to the right of access, and, did not specify on the records at issue what portions of the records were being withheld under which exemption claimed.

CSIS claimed that marking where information was redacted and on what basis specific information has been withheld could itself result in harm.

The Information Commissioner concluded that CSIS failed to provide any cogent explanation of how the use of clearly marked redactions and exemptions on the records at issue could possibly reveal or enable anyone to decipher information that would warrant protection under the Access to Information Act.

The Commissioner recommended that CSIS: provide a new response to the complainant that clearly identifies which portions of the records are withheld and cite, for each portion, the specific provision(s) of Part 1 of the Access to Information Act under which they are redacted; cease the use of negative (white) redactions; and, cease routinely citing the specific exemptions only in response letters, with the latter two recommendations being in accordance with the Treasury Board Secretariat’s Directive on Access to Information.

CSIS gave notice to the Commissioner that it would be implementing the recommendations.

The complaint is well founded.

Complaint

[1] The complainant alleged that the Canadian Security Intelligence Service (CSIS), when responding to a request under the Access to Information Act, failed to sufficiently identify which portions of the requested records have been redacted and on what basis specific information has been withheld. The request was for historical information about Warren Hart and his activities/services in Canada that were contracted by a government institution.

Investigation

[2] In the present instance, CSIS:

• used negative (white) redactions to sever portions of the requested records based on exceptions to the right of access, and
• did not specify on the records at issue what portions of the records were being withheld under which exemption claimed.

[3] The complainant alleged that in doing so, CSIS did not sufficiently identify which portions of the requested records have been redacted and on what grounds and that this, in turn, contravenes the Act.

Did CSIS satisfy its statutory obligations when using negative redactions and failing to specify which exemptions have been relied on to withhold specific portions of the requested records?

[4] The Act provides a right of access to information in records under the control of government institutions. Exceptions to the right of access are limited to specific and necessary exceptions set out in the Act (paragraph 2(2)(a)). Subsection 10(1) requires institutions, when refusing to provide access to requested records, or parts of requested records, to notify requesters of the following:

• the records do not exist; or
• the specific provision(s) under which they are refusing access; or
• the specific provision(s) of the Act under which they could reasonably refuse access if the records were to exist.

[5] Institutions are required to sever and disclose all portions of those records that do not warrant redaction under a specific provision set out in Part I of the Act, save for if this cannot reasonably be done (section 25). They are also required to “… make every reasonable effort to assist the person in connection with the request” and “respond to the request accurately and completely …” (subsection 4(2.1)).

[6] While the Act does not expressly prescribe how redaction must be completed, caselaw under the Act recognizes that a requester must be given sufficient information to enable them to identify and challenge exemptions claimed (see, for example: Blank v. Canada (Environment), 2007 FCA 289, para. 6).

[7] Also, at the time that the access request was processed, the Treasury Board Secretariat’s “Interim Directive on the Administration of the Access to Information Act” was in force. It required the following of institutions:

7.8.2 Citing all exemptions invoked in relation to those on the records, unless doing so would reveal the exempted information or cause the injury upon which the exemption is based.

[8] It is the position of CSIS that the practice of applying negative redactions as well as citing the specific exemptions in its response letter to requesters (rather than on the documents themselves) is not in contravention of the Act or the duty to assist principles, or the TBS Interim Directive.

[9] CSIS claimed that given the sensitive nature of the information exempted, it provided the information regarding exemptions to the complainant in the response letter.

[10] CSIS provided a hypothetical example of a requester’s ability to deduce what would have been received from a foreign government regarding an individual’s security clearance and the significance of the information if redactions and exemptions were clearly marked on the records. Leaving aside the improbability of the example provided, it is not relevant to the present access request.

[11] During the investigation, CSIS failed to provide any cogent explanation of how the use of clearly marked redactions and exemptions on the records at issue could possibly reveal or enable anyone to decipher information that would warrant protection under the Act.

[12] I noted that during the course of the investigation, in July 2022, TBS issued its “Directive on Access to Information”. The updated relevant provisions state:

4.1.34 Citing exemptions and exclusions invoked on records, provided under Part 1 of the Act, on each page, unless doing so would reveal the exempted information or cause the injury upon which the exemption is based to materialize.

4.1.35 Clearly identifying the redacted material in a manner that is evident on the individual record.

[13] The Directive is binding on federal government institutions, including CSIS, through the Policy on Access to Information. Sections 6 and 7 cover the application of the Policy and the Directive as well the consequences of non-compliance.

[14] While the new policy was published only recently, these provisions reflect perfectly what the Act and the caselaw have been expecting from an institution. In light of this, the OIC has asked CSIS whether its position had changed. CSIS maintained its position and declined to cite the exemptions invoked on each page of the records and to clearly identify the redactions, without having convinced me that doing so “would reveal the exempted information or cause the injury upon which the exemption is based to materialize”.

[15] In light of this, I cannot accept that CSIS is justified in having failed to identify which exemptions were applied to which portions of the records at issue. I conclude that CSIS failed to meet its obligations with respect to severance and duty to assist set out in subsection 4(2.1).

Result

[16] The complaint is well founded.

Recommendations

I recommend that the Director of the Canadian Security Intelligence Service:

1. Provide a new response to the complainant that clearly identifies which portions of the records are withheld and cite, for each portion, the specific provision(s) of Part 1 of the Act under which they are redacted;
2. Cease the use of negative (white) redactions, as required by the TBS’ Directive on Access to Information; and
3. Cease routinely citing the specific exemptions only in response letters, as required by the TBS’ Directive on Access to Information.

On January 18, 2023, I issued my initial report to CSIS setting out my recommendations.

On February 22, 2023, the Access to Information and Privacy Coordinator of CSIS gave me notice that CSIS agrees with my findings and intends to undertake the following:

• CSIS will begin the use of positive redactions in disclosures to requestors;
• CSIS will provide a new response to the complainant that identifies which portions of the records were withheld and cite, for each portion, the specific provisions of Part 1 of the Act under which they are redacted;
• Moving forward, CSIS will specify the exemptions claimed on the records at issue, unless doing so would reveal the exempted information or cause the injury upon which the exemption is based, as per the updated TBS Directive on Access to Information.

When a complaint falls within the scope of paragraph 30(1)(a), (b), (c), (d), (d.1) or (e) of the Act, the complainant has the right to apply to the Federal Court for a review. The complainant must apply for this review within 35 business days after the date of this report and must serve a copy of the application for review to the relevant parties, as per section 43.